The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-217020	SRG-NET-000205-RTR-000002	JUNI-RT-000140	SV-217020r604135_rule	2024-12-05	3

Description
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

ℹ️ Check
Review the filter that is applied inbound to the loopback interface and verify that it discards fragmented ICMP packets as shown in the example below. firewall { family inet { … … … } filter DESTINED_TO_RE { … … … } term BLOCK_ICMP_FRAG { from { is-fragment; protocol icmp; } then { discard; } } term ICMP_ANY { from { protocol icmp; } then accept; } term DENY_BY_DEFAULT { then { log; discard; } } } } If the router is not configured to filter to drop all fragmented ICMP packets destined to itself, this is a finding.

ℹ️ Check

Review the filter that is applied inbound to the loopback interface and verify that it discards fragmented ICMP packets as shown in the example below. firewall { family inet { … … … } filter DESTINED_TO_RE { … … … } term BLOCK_ICMP_FRAG { from { is-fragment; protocol icmp; } then { discard; } } term ICMP_ANY { from { protocol icmp; } then accept; } term DENY_BY_DEFAULT { then { log; discard; } } } } If the router is not configured to filter to drop all fragmented ICMP packets destined to itself, this is a finding.

✔️ Fix
Configure the filter that is applied inbound to the loopback interface to drop all fragmented ICMP packets as shown in the example below. [edit firewall family inet filter DESTINED_TO_RP] set term BLOCK_ICMP_FRAG from protocol icmp is-fragment set term BLOCK_ICMP_FRAG then discard insert term BLOCK_ICMP_FRAG before term DENY_BY_DEFAULT